none
Forefront TMG 2010 with Exchange Server 2010

    Question

  • We have recently setup a new environment with Forefront TMG at the center and two networks off of the TMG, one for internal and one DMZ. 

    Exchange 2010 seems to be the real issue in this environment however, I have configured exchange and the TMG as per a number of different guides I have found online and other threads in this forum. I have published the exchange server through the TMG also. The odd behavior I see however is that internally I can connect to owa or outlook anywhere just fine, in the external zone or from a client in another network I can reach owa completely fine but I cannot reach outlook anywhere. 

    Does anyone have any pointers on where I may be going wrong, or where I could look to try to troubleshoot the issue. 

    Any advice would be much appreciated.

    Monday, December 10, 2012 9:37 AM

Answers

  • Cool, I did have this disabled under the AD node. 

    We now have this working, in the attempt to debug the problems we were having, a number of bits were reconfigured to test. Going back through the entire configuration I noticed a misconfigured url and it all appears to work now. 

    Thanks for your help guys.

    Thursday, December 13, 2012 11:28 AM

All replies

  • Three things you can start with:

    1) click "test rule" on the rule that publishes OA and see if is successful

    2) check the TMG logs and see what is logged when a OA connection attempt is made

    2) run TMG Best Practices Analyzer and see if it discovers any issues with your configuration

    http://www.microsoft.com/en-us/download/details.aspx?id=17730

    You may need to perform all three steps in order to find the issue. The information you have provided is not enough to give any specific advice but from experience you need to examine the listener, certificate and rule.


    Hth, Anders Janson Enfo Zipper

    Monday, December 10, 2012 12:33 PM
  • So running through the steps above:

    1) click "test rule" on the rule that publishes OA and see if is successful

    Test Rule came back as successful for each of the components in the rule.

    2) check the TMG logs and see what is logged when a OA connection attempt is made

    I have noticed in the TMG logs when OA trys to connect I get the following messages, which I think is where the problem lies:

    RPC(all interfaces) Denied. - The policy rules do not allow the user request.

    2) run TMG Best Practices Analyzer and see if it discovers any issues with your configuration

    Simillar to above one of the messages in the Best Practice Analyzer report points to RPC compliance. The message being "Strict RPC compliance is enforced in an access rule that allows traffic to or from the local. (this goes onto mention the default firewall rule). There are instructions to right click the default rule > click configure RPC protocol and clear the checkbox. I am running TMG 2010 Standard I believe, and I cannot see this option to configure RPC protocol when I right click on any of the entries within the firewall or web access pages of the TMG.

    What configuration needs to be carried out to allow OA traffic through? I assume OA makes use of RPC however I don't remember anything in the guides with regards to configuring RPC. Also at which points in the config should this be set?

    Any pointers are great :D Thanks for the replies so far :)

    Monday, December 10, 2012 5:17 PM
  • You need to disable Strict RPC compliance in to two places,

    - on the System Policy Rule for Active Directory.

    - on the rule publishing OA as well (right-click the rule and select RPC filter and do this).


    Hth, Anders Janson Enfo Zipper

    Monday, December 10, 2012 7:01 PM
  • You need to disable Strict RPC compliance in to two places,

    - on the System Policy Rule for Active Directory.

    - on the rule publishing OA as well (right-click the rule and select RPC filter and do this).


    Hth, Anders Janson Enfo Zipper

    On the rules I do not have the right click option for RPC filter, I have Properties, Delete, Copy, Ungroup, Export Selected, Import to Selected, Move Down, Disable, Configure http. Am I missing something, we are running TMG version: 7.0.9193.500 if that makes any difference. 
    Tuesday, December 11, 2012 10:18 AM
  • Did you create the rule using the appropriate wizard for Exchange Outlook Anywhere? Or did you just publish using the regular web server wizard? The first is the correct way, the second not.

    Did you disable Strict RPC compliance on the System Policy rule I mentioned?

    Is the RPC filter bound to the OA publishing rule?

    Is the RPC filter disabled? (it shouldn't be)


    Hth, Anders Janson Enfo Zipper

    Tuesday, December 11, 2012 1:36 PM
  • I used the built in wizard for publishing Exchange Outlook Anywhere. 

    Did you disable Strict RPC compliance on the System Policy rule I mentioned? - I dont seem to have the option to do this.

    Is the RPC filter bound to the OA publishing rule? - Not that I can see.

    Is the RPC filter disabled? (it shouldn't be) - No

    I do notice that the Outlook Anwhere rule only uses https, should it use other protocols as well? We are trying to connect over https from the outlook clients.

    Alan

    Tuesday, December 11, 2012 1:58 PM
  • In TMG, on the right hand side in the firewall policy, Tasks tab, click the link "Edit System Policy" under System Policy Tasks. You may need to scroll down.

    Click the Active Directory node in the Authentication Sercices section and disable "Strict RPC compliance". Apply the configuration.

    I am sorry for the confusion, my memory failed wrt the RPC filter on the rule, it isn't there.


    Hth, Anders Janson Enfo Zipper


    • Edited by Anders Janson Tuesday, December 11, 2012 6:46 PM For clarity
    Tuesday, December 11, 2012 6:45 PM
  • Hi,

    Thank you for the post.

    You may also read this article about outlook anywhere: http://blogs.technet.com/b/exchange/archive/2008/06/20/3405633.aspx

    Regards,


    Nick Gu - MSFT

    Wednesday, December 12, 2012 8:54 AM
  • Cool, I did have this disabled under the AD node. 

    We now have this working, in the attempt to debug the problems we were having, a number of bits were reconfigured to test. Going back through the entire configuration I noticed a misconfigured url and it all appears to work now. 

    Thanks for your help guys.

    Thursday, December 13, 2012 11:28 AM